15:00:48 <gagehugo> #startmeeting security
15:00:49 <openstack> Meeting started Thu Dec 13 15:00:48 2018 UTC and is due to finish in 60 minutes.  The chair is gagehugo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:00:50 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
15:00:53 <openstack> The meeting name has been set to 'security'
15:02:05 <gagehugo> ping eeiden fungi gagehugo lhinds nickthetait browne redrobot
15:02:21 <nickthetait> hey
15:02:28 <redrobot> o/ but only kinda... also in a conference call :-\
15:02:48 <gagehugo> nickthetait redrobot: o/
15:03:32 <gagehugo> #link https://etherpad.openstack.org/p/security-agenda
15:03:56 <gagehugo> nothing really on the agenda afaik for this week
15:04:03 <gagehugo> do you guys have anything?
15:04:39 <Luzi> o/
15:05:28 <gagehugo> Luzi o/
15:07:05 <Luzi> there has been some confusion for me about, what projects you all represent in here?
15:07:11 <fungi> there was one concern raised on a security hardening bug about interest in an ossn
15:07:24 <fungi> Luzi: we represent openstack
15:07:37 <fungi> though we have backgrounds individually in lots of different pieces
15:08:16 <Luzi> fungi, i mean the backgrounds, in which openstack projects you are somehow active
15:08:53 <fungi> i personally am on the technical committee, vulnerability management team, opendev/infra team and on the osf staff, among other hats
15:09:40 <gagehugo> I'm mostly active with keystone and the vulnerability management team
15:10:10 <gagehugo> fungi: that was the bug from april right?
15:10:44 <fungi> no, getting the link
15:10:52 <fungi> #link https://launchpad.net/bugs/1795800 Username enumeration via response timing difference
15:10:54 <openstack> Launchpad bug 1795800 in OpenStack Identity (keystone) "Username enumeration via response timing difference" [Wishlist,Triaged]
15:10:58 <nickthetait> for me, still pretty new. Contributed to some OSSNs and reviewing a few proposals that would have security impact.
15:10:59 <gagehugo> ty
15:11:14 <fungi> the reportter seems to be interested in more widely communicating that particular username enumeration oracle
15:11:14 <gagehugo> oh that one
15:12:53 <fungi> nickthetait: you worked/work on the bandit code security analyzer too, right?
15:13:14 <gagehugo> hmm I wonder with the flask rework if that would be easier to fix
15:13:18 <nickthetait> yup
15:14:08 <fungi> Luzi: so anyway, a fairly diverse crowd, at least today
15:14:15 <fungi> and you're with secustack, i gather?
15:16:30 <fungi> and redrobot (who said he's "only kinda" around) is a core reviewer on barbican
15:16:45 <Luzi> fungi: yes, we have looked into a few different openstack projects like so far
15:16:55 <fungi> and lhinds sometimes joins us, a long-time contributor to the openstack security guide
15:18:05 <Luzi> fungi, nice to know
15:21:05 <nickthetait> quick (non-security) question: was there a proposal to change the length of releases? Don't remember where I heard this
15:22:05 <fungi> nickthetait: it's come up off and on over the years. most recent discussion last year looked at options anywhere from quarterly to annually and concluded that semi-annual was still a good compromise for now
15:22:27 <nickthetait> okay thx
15:23:00 <fungi> a lot of that tied into the long-term-stable/extended-maintenance discussions as well as the skip-level/fast-forward upgrades discussions
15:23:57 <fungi> i think once em and ffu get a little more entrenched it might be easier to shift our release cadence in the future
15:25:47 <fungi> Luzi: anyway, as i mentioned on that recent openstack-discuss mailing list thread, people with a variety of backgrounds and involvement in various bits of openstack, but as a result we're also all pulled in lot of different directions, and we'd welcome involvement from people with backgrounds in some of the other popular components of openstack. particularly the ones i which you're trying to get a
15:25:48 <fungi> foothold with the encrypted images specs
15:26:23 <fungi> (cinder, glance, nova...)
15:26:54 <fungi> (...oslo...)
15:27:25 <Luzi> i just wanted to update my knowledge so far :) it's good to know, with whom you are talking and what background they have
15:30:40 <nickthetait> welcome to the security SIG luzi!
15:30:54 <Luzi> nickthetait, thank you
15:31:58 <fungi> i tend to be particularly spotty with my input in these meetings because they overlap with the busiest technical committee office hour slot of the week
15:32:15 <fungi> so my apologies
15:32:44 <Luzi> fungi, no problem - i know what overlapping meetings look like :)
15:34:27 <gagehugo> double meetings
15:34:50 <gagehugo> does anyone have anything else they want to discuss this week?
15:35:09 <gagehugo> fungi: I can take a look at that bug
15:35:21 <fungi> thanks gagehugo
15:35:30 <nickthetait> no big news from me
15:35:33 <gagehugo> I may need to find a lower power device to test it on though
15:36:28 <fungi> and no, i didn't have anything especially exciting to bring up. i guess there's the ml thread on which the slow pace of moving the encrypted images work forward is progressing, and finding ways to better publicize/endorse the benefits of the feature Luzi and colleagues are designing
15:37:49 <fungi> thread starts at:
15:37:58 <fungi> #link http://lists.openstack.org/pipermail/openstack-discuss/2018-December/000464.html [all]Forum summary: Expose SIGs and WGs
15:38:39 <gagehugo> cross-project specs always move slowly it seems
15:40:27 <gagehugo> I thought I saw a temporary sig involving the projects get mentioned, not sure if that was in the email thread or tc chat
15:41:00 <fungi> described as an even more informal "pop-up team" concept
15:41:31 <fungi> basically the emergent behavior we tend to see when efforts like that (cinder/nova multi-attach for example) play out successfully
15:42:06 <fungi> a way of pointing out what worked well and recommending similar sorts of patterns of interaction
15:46:33 <nickthetait> interesting
15:51:01 <gagehugo> thanks for coming everyone, feel free to ping in openstack-security if there are any more questions
15:51:11 <gagehugo> #endmeeting